Of Padlocks, Passwords and Passback

In college, I worked as a "night attendant" at my 900-plus student dormitory, where I learned the ancient tactic called passback.

In college, I worked as a "night attendant" at my 900-plus student dormitory. The main doors were locked at midnight; after hours, residents could enter only by showing the night attendant a room key. Displeased by the school's no-overnight-guests rule, many enterprising students discovered the time-honored tactic known as "passback"—one shows the key, enters and goes upstairs, and then drops the key out a window so his guest can gain entry by presenting the unsuspecting (read: poorly trained) night attendant with the same key.

Access control has come a long way since then. Today's building access systems typically use swipe cards or proximity badges and, among many other data-driven features, are smart enough to prevent passback. (In some buildings, for example, a card must be used for egress before the system will authorize its use for entry again. But that's just the tip of the technical iceberg. The following new products illustrate various ways that access control is getting smarter and, increasingly, more tightly integrated with other aspects of building and network management.

TAC I/Net Seven www.tac-global.com

TAC's slogan is "open systems for building IT," and the I/Net Seven suite integrates security control features (including CCTV, badging and alarm monitoring) with other building management functions, including HVAC and lighting control.

S2's NetBox www.s2securitycorp.com

NetBox is a new building security appliance product (officially announced in June) offering browser-based control from anywhere on the network. Its features, in some cases through plug-in modules, include access control and monitoring of alarms, IP videocameras, intercom and temperature. Additionally, the system can store related information such as vehicle data for parking lot checks.

Synergistics' Presidio www.synergisticsinc.com

Presidio is a building access control software suite; users deploy it on a Web server and again use a standard browser for centralized configuration

and monitoring of card readers and doors. The system provides multiple customizable access levels and operator levels; alarm notifications that can be routed to pagers or through e-mail; and historical logs with numerous filtering and reporting capabilities.

CoreStreet www.corestreet.com and Assa Abloy www.assaabloy.com

This fall, CoreStreet and Swedish lock maker Assa Abloy announced a most interesting twist on access management, which the two companies tout as "the world's first disconnected intelligent door locks."

CoreStreet's president, Phil Libin, says his company's goal was to solve the problem he describes as "distributed validationhow do you prove that you're allowed to do whatever you're doing, if [the authorization system] can't rely on real-time access to a central database?" The solution involves locks that read and write digital authentication certificates. Every employee's card that is swiped at a networked location is checked against the central access control database, which writes a time-sensitive, encrypted certificate (essentially just a small amount of data) onto the cardyes, Larry is authorized to go through this door at this time. Non-networked doors look for that certificate on the card. The twist is that the networked door also uses Larry's card to disseminate updates about other employees' authorizations. If another employee, Joe, is fired at 5 p.m. on Tuesday, every door that reads Larry's card on Wednesday also will be updated about Joe's nonauthorized status.

Assa Abloy has licensed CoreStreet's certificate technology (dubbed KeyFast) for use across all the Swedish company's units, which include more familiar U.S. brands such as lock company Yale Residential Security Products and smart-card maker HID. At roughly $1,000 per lock/reader, this is not cheap stuff, but CSOs with the right mix of distributed, sensitive facilities may find it a useful solution.

Related:

Copyright © 2004 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline